By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Most banks are requiring users to provide a second password because they now need to comply with guidance issued in October 2005 by the Federal Financial Institutions Examination Council (FFIEC), recommending that banks offering online banking services implement and use two-factor authentication by January 2007. The FFIEC issued the guidance based on a report from the FDIC in 2004, stating that user IDs and passwords alone (single-factor authentication) was inadequate for online banking. The FDIC report outlined how passwords were weak and could be easily cracked, whether by password-stealing Trojans dropped on desktops or malicious shoulder surfers ogling your password.

While simply requiring a second password closely resembles two-factor authentication, it technically isn't, but it does meet the FFIEC's standards. To clear up the confusion and clarify the intent of the guidelines, let's review what two-factor authentication is.

In information security, there are three factors for authentication: something you know (user ID and password), something you have (a smart card or one-time password token) or something you are (a physical characteristic, such as a fingerprint, voice or face). Combining two of these factors creates two-factor authentication. The intent is to provide an extra layer of security, so if one factor is broken there's a second locked door that a malicious attacker would also have to breach to gain access.

As you may have gathered, second passwords, even when disguised as a secret question or a graphic, aren't true two-factor authentication methods. But here's the rub. The FFIEC guidance also states that online banks can use multi-layered authentication, which is a little different than two-factor authentication. This means the FFIEC considers anti-fraud systems and additional passwords as multi-layered authentication.

Google is the latest of the tech giants hiring Wall Street hotshots. The CIO lesson? Partner with your CFO if you want to get ahead. Also in Searchlight: Facebook turns Messenger into an ecosystem; Twitter faces a gender bias lawsuit.